Malware Analysis Report

2024-10-16 03:31

Sample ID 240929-2lknyaxfmd
Target ff6ae12266d02f95b208baf95b04476b_JaffaCakes118
SHA256 97e67a2fd6bc40377be7dc7fe0fa7c28e6939d30f9a9fac470b963ef18a825e3
Tags
banload discovery downloader dropper evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97e67a2fd6bc40377be7dc7fe0fa7c28e6939d30f9a9fac470b963ef18a825e3

Threat Level: Known bad

The file ff6ae12266d02f95b208baf95b04476b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion spyware stealer trojan

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Checks computer location settings

Checks installed software on the system

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-29 22:40

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-29 22:40

Reported

2024-09-29 22:42

Platform

win7-20240708-en

Max time kernel

145s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\GMInstaller\iWinLauncher.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\ C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\iWinLauncher.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\iWinInstallOptions.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\iWinArcade C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\iWinArcade\installRoot = "c:\\games\\iWin Games" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\IrzjrB = "FwlAEyQzpWFkuSUOoEgYFQkPTO@K" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\RqwdqftoqG = "cY" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\iWinArcade C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\eijuxCBtwg = "TL_eYj~Un^qpDP}F" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\kbhTmhmkJ = "UnKKY}m@jDakIdla\x7fBCdG|vUxL]XLrTA" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\mOkgj = "k}HgD`O@IZfkUQHY_HW\x7f" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\mOkgj = "nNl{iHxNW\x7fXXlis@\\te^" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\IrzjrB = "FwlAEyQzpWFkuSUOoEgYFQkPTO@K" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\imznLhi = "v\x7fGNfYNdCXZ|]}L@kEE" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\owOUG = "WmjYxU]zjBXw`H{XTRcmgJfw`{D" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\owOUG = "roUr@~jVyIII^apK}\\`pKulU^`I" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\IrzjrB = "FwlAEyQzpWFkuSUOoEgYFQkPTO@K" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\mOkgj = "nNl{iHxNWoXXlis@\\de^" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\eijuxCBtwg = "TL_eYj~Un^qpDP}F" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\InProcServer32\ThreadingModel = "Both" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\IrzjrB = "\\]hqbhMsu~~n_DeKWOQ]z_{^ENyn" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\owOUG = "WmjYxU]zjBXw`H{XTSCmgJfvX`|" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\owOUG = "roUr@~jVyIII^apK}_ppKulWK\x7fz" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\mOkgj = "nNl{iHxNVOXXlis@]De^" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\RqwdqftoqG = "XI" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\RqwdqftoqG = "JZ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\IrzjrB = "\\]hqbhMsu~~n_DeKWOQ]z_{^ENyn" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\RqwdqftoqG = "Hh" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\RqwdqftoqG = "wx" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\imznLhi = "v\x7fGNfYNdCXZ|]}L@kEE" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\owOUG = "WmjYxU]zjBXw`H{XTPSmgJfuEbk" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\mOkgj = "nNl{iHxNWoXXlis@\\de^" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\RqwdqftoqG = "Xt" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\owOUG = "WmjYxU]zjBXw`H{XTUCmgJftCqY" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\VirtualStore C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\iWinArcade\Legendary Slide 2 Platinum Edition\GameExe = "GameLauncher.exe" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\RqwdqftoqG = "MH" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\owOUG = "WmjYxU]zjBXw`H{XTSSmgJfthjj" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\imznLhi = "s|eh[BJ\\Q{_\x7f\\qrKZH`" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\IrzjrB = "\\]hqbhMsu~~n_DeKWOQ]z_{^ENyn" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\owOUG = "roUr@~jVyIII^apK}^`pKulUGTR" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\mOkgj = "k}HgD`O@HzfkUQHY^hW\x7f" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\iWinArcade\7971459608164109350 = "Legendary Slide 2 Platinum Edition" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\iWinArcade\Legendary Slide 2 Platinum Edition\SkuID = "7971459598412844403" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\iWinArcade\Legendary Slide 2 Platinum Edition\GameID = "7971459608164109350" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\InProcServer32 \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\owOUG = "roUr@~jVyIII^apK}\\ppKulWnj_" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\Nywropthembr = "uqhlBPqAG\\QsQ~ULdCDUDxEsHbWfuI\\~" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\iWinArcade\Legendary Slide 2 Platinum Edition\InstallDir = "c:\\games\\iWin Games\\Legendary Slide 2 Platinum Edition" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\RqwdqftoqG = "hY" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\mOkgj = "k}HgD`O@IZfkUQHY_HW\x7f" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\Nywropthembr = "u\x7fVagKVytKrE]xortSEUUsDg~xtpaUtV" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\kbhTmhmkJ = "qT`rcOhkmF\x7fFXNyKa\x7ff[TW\x7fKkWCkh\\Za" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22} \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\mOkgj = "nNl{iHxNW_XXlis@\\Te^" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\owOUG = "WmjYxU]zjBXw`H{XTRsmgJfuPqR" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649} \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\RqwdqftoqG = "Mu" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\owOUG = "roUr@~jVyIII^apK}_`pKulU{ul" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\RqwdqftoqG = "tg" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\RqwdqftoqG = "af" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\kbhTmhmkJ = "UnKKY}m@jDakIdla\x7fBCdG|vUxL]XLrTA" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\mOkgj = "nNl{iHxNW\x7fXXlis@\\te^" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\owOUG = "WmjYxU]zjBXw`H{XTRSmgJfwLmx" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\VirtualStore\MACHINE C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\owOUG = "WmjYxU]zjBXw`H{XTRCmgJfu|gn" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\owOUG = "roUr@~jVyIII^apK}^PpKulUkBn" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\kbhTmhmkJ = "qT`rcOhkmF\x7fFXNyKa\x7ff[TW\x7fKkWCkh\\Za" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe
PID 1724 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe
PID 1724 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe
PID 1724 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe
PID 1724 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe
PID 1724 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe
PID 1724 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe
PID 2348 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe
PID 2348 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe
PID 2348 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe
PID 2348 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe
PID 2640 wrote to memory of 1144 N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 2640 wrote to memory of 1144 N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 2640 wrote to memory of 1144 N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 2640 wrote to memory of 1144 N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 1144 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1144 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1144 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1144 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1144 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1144 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1144 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1144 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 1144 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1144 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1144 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1144 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1144 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1144 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 1144 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 2844 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2844 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2844 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2844 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2844 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2844 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2844 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 2844 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe
PID 2844 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe
PID 2844 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe
PID 2844 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe
PID 1160 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\iWinInstallOptions.exe
PID 1160 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\iWinInstallOptions.exe
PID 1160 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\iWinInstallOptions.exe
PID 1160 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\iWinInstallOptions.exe
PID 1160 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\iWinInstallOptions.exe
PID 1160 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\iWinInstallOptions.exe
PID 1160 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\iWinInstallOptions.exe
PID 1144 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 1144 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\nst85C4.tmp\GamesManagerInstaller.exe" -installer.createiwinshortcuts=yes -config.channel=00000000 -config.uri=http://gm/iwin/index.html -config.channelName=iWin -config.iwinrequest="PF/7971459608164109350/7971459598412844403/13/47"

C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe

"C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe" -gmregchannelid=00000000

C:\Program Files (x86)\GMInstaller\ugm_installer.exe

"C:\Program Files (x86)\GMInstaller\ugm_installer.exe" -installer.createiwinshortcuts=yes -config.channel=00000000 -config.uri=http://gm/iwin/index.html -config.channelName=iWin -config.iwinrequest="PF/7971459608164109350/7971459598412844403/13/47"

C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe

"C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" -config.uri=http://gm/iwin/index.html -config.channel="00000000" -config.iwinrequest="PF/7971459608164109350/7971459598412844403/13/47"

C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe

"C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=renderer --enable-logging --log-level=2 --no-sandbox --user-agent="NextDM/2.16.2.1015 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.16.2.1015 00000000 WinVer/6.1 [x64]" --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" --lang --channel=1144.02A90C80.140256490 /prefetch:3

C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe

"C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=gpu-process --channel=1144.02B2BDC0.443458940 --enable-logging --log-level=2 --no-sandbox --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" /prefetch:12

C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe

"C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe" -gmregcopysrc="HKEY_LOCAL_MACHINE\Software\iWinArcade" -gmregcopydest="HKEY_CURRENT_USER\Software\iWinArcade" -gmregcopylocalmachinedest="HKEY_LOCAL_MACHINE\Software\iWinArcade" -gmregisiwin=true -gmchannelcode=00000000 -game.sku="7971459608164109350" -game.name="Legendary Slide 2 Platinum Edition" -gmregcopyvirtual=HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\iWinArcade -gmreg="Software\iWinArcade" -gmexe="iWinGames.exe" -gmregkey="Install_Dir" -installer="C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe" -preinstallurl="http://gm.iwin.com/dl/preinstall-options.exe" -gamestring=7971459608164109350 -config.installRoot="c:\games\iWin Games" -gmInstallRootRegKey="HKEY_CURRENT_USER\Software\iWinArcade\installRoot"

C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

"C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe" -gamestring=7971459608164109350 /S

C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe

"C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe" /S

C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\iWinInstallOptions.exe

"C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\iWinInstallOptions.exe" /S

\??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe

"c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid7971459608164109350

\??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe

"c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid7971459608164109350

\??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe

"c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid7971459608164109350

\??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe

"c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid7971459608164109350

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.iwin.com udp
CZ 65.9.95.69:80 dl.iwin.com tcp
US 8.8.8.8:53 static.iwincdn.com udp
FR 68.232.35.54:80 static.iwincdn.com tcp
US 8.8.8.8:53 gm.iwin.com udp
US 52.200.90.138:80 gm.iwin.com tcp
US 8.8.8.8:53 fea.iwincdn.com udp
FR 68.232.35.54:80 fea.iwincdn.com tcp
US 52.200.90.138:80 gm.iwin.com tcp
GB 142.250.178.2:80 www.googleadservices.com tcp
GB 142.250.187.200:80 www.googletagmanager.com tcp
US 8.8.8.8:53 cimg.iwin.com udp
US 8.8.8.8:53 ws.iwin.com udp
US 35.175.160.151:80 ws.iwin.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
CZ 65.9.95.92:80 cimg.iwin.com tcp
US 8.8.8.8:53 download.iwincdn.com udp
GB 172.217.16.226:80 googleads.g.doubleclick.net tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:80 www.google.com tcp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.204.67:80 www.google.co.uk tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
PL 93.184.221.131:80 download.iwincdn.com tcp
GB 142.250.187.227:80 o.pki.goog tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
US 52.200.90.138:80 ws.iwin.com tcp
US 8.8.8.8:53 dl.iwin.com udp
CZ 65.9.95.69:80 dl.iwin.com tcp

Files

\Users\Admin\AppData\Local\Temp\nst85C4.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nst85C4.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

\Users\Admin\AppData\Local\Temp\nsj9D98.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Program Files (x86)\GMInstaller\iWinUpgrader.exe

MD5 3d72f38357f46715e675e074d59fc7a9
SHA1 2cf2f0d655fbbff941ae3d5c1e911096fec5bd12
SHA256 86cb79cb393ccbebd65e137cf509f09e0cabaecb93a2d21369488002712af118
SHA512 35f5e1f19490814db7bb041588ed9f6c99a04cdb485c19fbae3e96e59da003c345aa835fe482e904c73577f37eba6f47982dc4ba5d3b5a58396b794830639006

\Users\Admin\AppData\Local\Temp\nsj9D98.tmp\StdUtils.dll

MD5 c291f96471927e7bc49398b0de7168dd
SHA1 eda478005d69ee86126a8378de5007b139e20a5d
SHA256 c169393e49723cfdcdcbcf80e062be9e841539f90e4b7b85b482212715a1f7c6
SHA512 b4244615e99617d437d3120f201ca88c7ab4a6b4b84e7f0c3b4495a0fe8c979e04feaa08f11ad14fa92f002a3a521422221132ff54a081ef1c6bcbdf09d5929d

memory/2348-47-0x0000000001FF0000-0x0000000001FF2000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsdB453.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\GamesManager\110402287\cdata.dat

MD5 11e4b4414b6271b8f8c45511f97d4e5a
SHA1 65ee25560144d22bf7f8bce3b8742a856a8ee6d1
SHA256 db67ca3cf89a6fccd13aa21207e279c3fd3c7bcaf181c65ecfc18cf2da289eb3
SHA512 68e8bce33cfc588f800f486f51c8a1e27b12e58af336946102d61a451341eee875b4cbb2a4203f3cade174b21f9e74cd82d15988abb107564c87c2e3bd088c58

C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe

MD5 e6fd8ebffb607e1ade009aec7d657fd4
SHA1 9df29bd83f62fcb7c6f3f644692254a698e54f28
SHA256 86007bfeee566f599f1eb496710835ca2975bd710067cc6a095f909828a5580a
SHA512 3d65334200bfbf2eece9e8b98894cd78d3d58c76a45e1d864cc9648c96c57633671a87646e6268c4a14ee846ed2eec4706041e61a80e2657a1d05a7afb6a88e2

memory/1144-921-0x0000000000490000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000002

MD5 ae0a675e3e15e28aab8246028df16236
SHA1 772b2587aa2fa345fb760eff9ebe5acd97937243
SHA256 49f14bad610f40f0ae76a33c55ef89a1e694219bab49b1b99cb53d754774c0fc
SHA512 21723efa6aaa2fa599b42c1480c380c24f9aaf14755e82e88054e80713454408bfb047ba77d921d71573d2319f14f134938f3401aa3b92b756670b7c99892caa

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000004

MD5 7fd8ffea25728006bfddf7e6c7c122cd
SHA1 e3049e9f8a643b8b2cfd2ca5e6ab8bfd483efe99
SHA256 0a6c4c4db171663b9b1c533a4dd6938e22cb4d5b9607d0ca92a20c1354018b49
SHA512 477467568f8c24772fd83680db1e9750c7e377cb706c0fa734e9c8b1bc847cf9a60f4be444044bdbfa4cdb9cb4352f86edd1ea70bdcd86a20b361f9acb2cd58f

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000003

MD5 a959af924d21c7b788fe197caf03fc40
SHA1 21733827a5501133619b8ac4533201267d1afa3f
SHA256 4d191ea72953f5806161c3c16ae8e4bb629b47156481bd074acfa5db08000016
SHA512 1fa28a7fe716b328fc43b3e8993875977a2e9f39fd02dfce313d27021403ddfaf7f19c7607bf1350c4c2f05a38170d3621ed33cc60f8b38fb9d1dbda63b120e7

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000005

MD5 8c81fab58b8ed37b527b16a37a8065c3
SHA1 5d3d58f8833d9975d6dd5e7153b22a936f2f76bd
SHA256 74d4acb9d62968980f8a096977e3bf42c1ccffb0c7501a7fff1a0ba589b56bd7
SHA512 e99c9eae7718c4154bc2895431261e1ac3cafda565d85474876be004063742d84af1c20f970dd1f30c9c5acbb00d3e7357f7a13376730cbd987a24dcc4086699

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000006

MD5 032f7a630c11189923cae95fb0fa6892
SHA1 74dddaa937b077fb98b584b20e1a3e3ad1bee422
SHA256 b0b84f6aca649b3b9131799ed0983e03b113497df4f33e30a3389ee1b34687ee
SHA512 e24c5a9dfd1f6fcd07dea0b3723a0794fe27042c2f52d0b869e8224ed0a442e73e24d265103ba2f11783b8c408f9724ba11ef76a1e3330ee3b78156ebad406bf

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000007

MD5 962bf963a37a6d84fe7fb552763dc094
SHA1 cac681467dac917122dd9b57bd9a78781549a523
SHA256 2f49797d196f00bb331663ac1564c775d65ed1bfb508aec9e4c3b6fc89bb4dc0
SHA512 e378da6a0d29f91eb5a0de3876fda0cc1b5a6e6632f5ddf0d45fcc909084aad70bd99b97a29df15d271593701bd77a92766a1f091540dc3cdf699c9d831b6192

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000a

MD5 4e5d5ff08a7703b746695ec19bf96b88
SHA1 3496f9b943d53c957ed8481e3e2cd1ecc0decb4e
SHA256 3e05db9eae5443e2b629ae73496a7872602094fcf63d11eb5d99e63911c89d1e
SHA512 cabe3907ea165502d90b847642cbc4be99108b6eb18ad251f2acfe988131b2ed12fab8516e374c5e2a19b10c9df9c9ed3252cbffb7cd0c0fb9dcd258e2f4bb31

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000b

MD5 0128fb0696c3dd27adc2286988bf9042
SHA1 343db277048078eb9a12b76b8f482aae5d9e7ac2
SHA256 13bf19f7b084c49a6ef22dee10328411f4764e765209956bc1d01c8120cdacdb
SHA512 173b2bd5cdf252380286622fcb9ebd72c361788fcd00a04274dc330f7d20cc152cc29506bd5d03768518bab23053ec98c0ae522fe600987a479a15279d72acbd

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000c

MD5 201f988a9071a4a4a3d188bdecda38f5
SHA1 4ad903f73ee31f12b1c9e4c820439273cbc92727
SHA256 53c53364808c175a6038f9d0aae8fe3d1f5ce3cf87d5e9fa08f603d845633b37
SHA512 d9af07915a589ee48b08a1b8880d88d6215438292f4a227cbc809086c2dbd5735713c0929758359a8f3391dae746cd9b9de7885d5af560698a21be7d9f5bc025

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000e

MD5 4d0d60167bc23a412bcd8880d59e13d8
SHA1 cfbf2a6ed97ed0a30c571d2bbd6eb60731eaea27
SHA256 cd299b9251186ebf3bb0e928e4f710b3b542f0cde01bea6832cbada49138a85d
SHA512 6d56d41161bbe491a8f847ae3782e283a61d40d499d91fa6ef82ea845b347b8337b84e69024828dcbbf884b167afca67bdd67c7593a1a90950bab6fbdbb8eeba

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000010

MD5 af693f9aea7dae36fb3bef4c9b6e56fb
SHA1 0d7896e2bb23f88e26e52b22a075350b354df447
SHA256 1717ea1fde8ceb7584341a24efc85c853083c660a1185968fbf94520f7193de2
SHA512 11cad7c40e29808104a9b84cfe2f4f1aa80f4ad06a07fd1379c64818fe869c6b6036af36f4dd3304e19b612141e9cf7b04e11c7a38a721ad03c067d9c07b266a

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000011

MD5 3c4b51f57a2ff4369261b845d84ca1ea
SHA1 3bb9a2f72d5fa0a9c4140ab74212d4cdd25fa323
SHA256 379bc709031d0e429a41012efd921210bcfd409ecaabe35257a3716032eb99a3
SHA512 81d0120f63e30cc5b31fc98af2caf75cd836defedf08a1918b019a4bd7fdc9746340ef81f7ead84299d6eceb3812a6edc79481344dd7ef19d7af572b1f2bac3d

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000012

MD5 5ce0a99458a2c7f2c0a6f3eb1a03d1d5
SHA1 6b3fdc4185f603a0948d2e8b7bc818763d7e2668
SHA256 6c5c0a29044c5aeec37211b18908acd0576b9dabc9d6fe95c8066cdc55146c0f
SHA512 5939d60a40f729b7ea19d6c9c1d264d7a174c6436748ea8c9619e7a20c1f1d4889f7e9b4cd017a889c985e9d2fd272e01d3e03d6b97325b2e8de5f3f9e1f2d67

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000015

MD5 112aef1f1740c497873762c576ba91ec
SHA1 63de6bd3e38f536213dddddb20c5cb61c232078f
SHA256 7f6a44eb7632c2cb6f990ede10a58c2cc3fb923bae1761f1be8e2a9ea3847b78
SHA512 9b3f9e5b4f911e0fc8404e89a68e308b14b4d2470d8358f95991d04abbc5ee04e3d93255deba720d3589f278938cf92710cc4f38f6b26c778d82d4680da89fbb

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000016

MD5 5a52b3c4658c45fa0d16f1b245cba28d
SHA1 1066afce3c4ca00ca7f61c628f6ba4a615b50c4f
SHA256 f148af9bffe215b1396117bb04aeb9f35fc82f346999a767a363198e9878ceae
SHA512 08ed56e8ef57a87bc84cc82355fbb9b5742a3a3218c5bf27369d2fc7d71d5c740af8c8830a85af3544ae5f2e96f59c9a0267a512a5c009c3e03683a3ef5f85bd

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000014

MD5 7776d481997157e93d96f8589c3ae050
SHA1 13007e647ea91299b5aaaf7fc03a30bb65c38cd0
SHA256 74cd4d1f792e1200fd426048b53970c4eaeb5e5c1c789d034bffdff68167b3be
SHA512 12401e53282bcb20f6287f73b0d51c1c018cb0013df2d03e7d719eaa9e7fe952b9252c22445b67acdd78696f7b464045aed14f6e795922680fe733a0084a6217

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000013

MD5 107a4b9f1d95df5b969cced5c7248ded
SHA1 9341318acb76e81987277b335656f6d265066691
SHA256 295eac26825508b5f37f27c69b99d426582fe80752f636c69f1795be8f5d5ea4
SHA512 36c22b62a0377831b37ecc4f34b6912842bc57c2f9351548d1ba120ca2c9abaca709cd40046abc06d4b77694cbf1977b8f5d7ce899653f130ac697402e127857

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000f

MD5 b6438c9bc90d3e87381b574cdf17ae97
SHA1 86051ff3f018c1a475162597dab27079eef2ec7a
SHA256 a6db907a7ac399d7e920de4ac4b4a92808542039ba32dc6758637bffb413d56d
SHA512 c4d56c8880d5c27085cf64531d2620f84c950107fdda28986eb0bb4d2ce1b4a90f0d890b72f60b48ef2637b3dab7fd99ccf1f507c949ce5f66b52f756c3c6fe6

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000d

MD5 516a9c398435f4e0e519d13091892fca
SHA1 c1a8a3747fed87cf8699c18b6f80f5369e207908
SHA256 de5c4e5ba7b850bbe5d35de5b20f4fd875be1f77ef73f7431172d1e0f6496dc6
SHA512 b79eab3e4abc5bd164d27f282a9913ad0c82bdbcb028be5137b77a429e6384e715d05a90014c23298152d2fe3ad2f90309ca028727ed9750cf29fd55b6d75302

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000009

MD5 b41c0b75a60eab42145e9d0b17408b0b
SHA1 0f3151c6c22834079b55fcea9d873c0184b3fd7c
SHA256 209dc679252feca2725cafb6e8fc314f2618bd748db846be6b4e0ca71c55a330
SHA512 f728be6cb869a6279a6ba1d85865c510c6f9905a04226a25965b7b5eb0feadbaf4364f4508b08292eb597b2a9fe14af4e6fa8a9eb56f4e704108dc09e862edbe

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000008

MD5 5cc4154e0c0dac8dfeea73c07ccdc83e
SHA1 5d2d995d51b8855d1e1e43b85d8b5a9d22b796ad
SHA256 12d5f1be9a764164f4cc6e7dda726c4ea3d19ea79382d28c75b0dea862608968
SHA512 1112959cfecc25efae799b566dff24f7bfafc60ddd8974ce0cdd653ee834a57090d9f78e2773ad9a826e0ba6e1487c49e1ef957c34385c262914f09ea8b26157

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000001

MD5 e2ff9e87912d08576c7f26a8014b2525
SHA1 026136afd27657e7edead2f12310275af249caac
SHA256 5e663896f40416a2d5f159e0433dbc9019dbe9d05abb34c1f3a5b38a88b5c03a
SHA512 7b4dfe37205909f2f14669c965821a91daba8be383ce83d119fde5d290bc938eeaf0c70e9d27998f00dc6cdca0d0c0b1b2bbdc13ac2662fc4e766919e092e1d9

memory/2884-1065-0x0000000000080000-0x0000000000092000-memory.dmp

memory/2884-1071-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1070-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1082-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1080-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1077-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1109-0x00000000748F0000-0x0000000074923000-memory.dmp

memory/2884-1108-0x00000000748F0000-0x0000000074923000-memory.dmp

memory/2884-1107-0x00000000748F0000-0x0000000074923000-memory.dmp

memory/2884-1106-0x00000000748F0000-0x0000000074923000-memory.dmp

memory/2884-1105-0x00000000748F0000-0x0000000074923000-memory.dmp

memory/2884-1104-0x00000000748F0000-0x0000000074923000-memory.dmp

memory/2884-1102-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1101-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1100-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1099-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1098-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1097-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1096-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1095-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1094-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1093-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1092-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1091-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1090-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1089-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1088-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1087-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1086-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1085-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1084-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1083-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1081-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1079-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1078-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1076-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1075-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1074-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1110-0x00000000748F0000-0x0000000074923000-memory.dmp

memory/2884-1073-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1072-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1103-0x0000000074250000-0x0000000074402000-memory.dmp

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\Cache\index

MD5 a61db77e55430b847740ab5bb2cbc080
SHA1 95feedb04b2454343289919b6e8737be311f1d16
SHA256 943e7bf26f7a0b91ab14ab695c056b5d4de956ee75fec2ab805a04efe2b92da2
SHA512 1e19e58811490b59bff5c3a171b47863bec73b03f6033eeeb3ebc871f667fb6f8341ce667d4f3bc3091eec136af0e5a3e5e418606a8ecb3f8960e35466abb63d

memory/2884-1126-0x00000000748F0000-0x0000000074923000-memory.dmp

memory/2884-1125-0x00000000749C0000-0x00000000749E7000-memory.dmp

memory/2884-1124-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1127-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2884-1197-0x00000000748F0000-0x0000000074923000-memory.dmp

memory/2884-1195-0x0000000074250000-0x0000000074402000-memory.dmp

memory/2884-1196-0x00000000749C0000-0x00000000749E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

MD5 a20e6e80fca5126c64c469d8882c8b03
SHA1 9037bde28752b5bc54b2e0a76c753e94981c362f
SHA256 bd97b982be79ace9c3ca0ec4fa7572d9005eaa164426d9cb81f63e17f88d31c2
SHA512 f1d82d31ef70206bb178fdd17f4bbcd635ef74da11b5989c771a3fb9aed8603a0dc4768945780a19619c482661ae09c11b8e74b837a43cd98ccde6440e0d8e4f

C:\Users\Admin\AppData\Local\Temp\nsz9696.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

memory/1160-1883-0x0000000002BE0000-0x0000000003097000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\System.dll

MD5 960a5c48e25cf2bca332e74e11d825c9
SHA1 da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512 cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

C:\Users\Admin\AppData\Local\Temp\nsz96E4.tmp\nsisdl.dll

MD5 a5a4cee2eb89d2687c05ef74299f0dba
SHA1 b9bff5987be422887f2f402357b47db2288a1a42
SHA256 cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512 f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

memory/1144-1899-0x000000000E000000-0x000000000E20C000-memory.dmp

memory/1084-1901-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1144-1900-0x000000000E000000-0x000000000E20C000-memory.dmp

memory/1084-1902-0x0000000002680000-0x000000000288C000-memory.dmp

memory/1084-1916-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2500-1919-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1144-1918-0x000000000E000000-0x000000000E20C000-memory.dmp

memory/2500-1937-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2964-1939-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1144-1938-0x000000000E000000-0x000000000E20C000-memory.dmp

memory/2964-1957-0x0000000000400000-0x000000000060C000-memory.dmp

memory/276-1975-0x0000000000400000-0x000000000060C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-29 22:40

Reported

2024-09-29 22:42

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\GMInstaller\ C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\iWinLauncher.exe C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
File created C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\iWinLauncher.exe C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
File opened for modification C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nswADB1.tmp\iWinInstallOptions.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\GMInstaller\ugm_installer.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\iWinArcade C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\iWinArcade\installRoot = "c:\\games\\iWin Games" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\kgYiiisba = "FWmjYxU]zjBXw`H{XTPcmgJ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\ccrymbccmxzd = "kIdla\x7fBCdG|vUxL]XLrTACl]NhhxNWo" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\ypPpcmnqgujaa = "XXlis@\\de^v\x7fGNfYNd" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\bhavzqouzdo = "fuwp`yk" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\kgYiiisba = "FWmjYxU]zjBXw`H{XTUCmgJ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\VirtualStore\MACHINE C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\Version\ = "1.0" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\bhavzqouzdo = "fuBRG|K" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\kgYiiisba = "FWmjYxU]zjBXw`H{XTSSmgJ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\TypeLib \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\nkfZVem = "u\x7fVagKVytKrE]xortSEUUsDg~xtpa" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\bekjUvucw = "Q{_\x7f\\qrKZH`TL_eYj~Un^qpDP}" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\bhavzqouzdo = "fuNueuI" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\bhavzqouzdo = "lWe}QPe" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\bjfern = "UtVFwlAEyQzpWFkuSUOoEgYFQ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\kgYiiisba = "FWmjYxU]zjBXw`H{XTRSmgJ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\bhavzqouzdo = "lW|IJEd" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\Version \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\ccrymbccmxzd = "FXNyKa\x7ff[TW\x7fKkWCkh\\ZaF_yRE@O@IJ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\kgYiiisba = "AroUr@~jVyIII^apK}_ppKu" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\wzapb = "kPTO@KUnKKY}m@jDa" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\bhavzqouzdo = "lUUwGPX" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\ypPpcmnqgujaa = "fkUQHY_HW\x7fs|eh[BJ\\" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\bjfern = "UtVFwlAEyQzpWFkuSUOoEgYFQ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\kgYiiisba = "FWmjYxU]zjBXw`H{XTRCmgJ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\bhavzqouzdo = "ftHfWjh" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\iWinArcade\Legendary Slide 2 Platinum Edition\GameName = "Legendary Slide 2 Platinum Edition" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\bekjUvucw = "Q{_\x7f\\qrKZH`TL_eYj~Un^qpDP}" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\kgYiiisba = "FWmjYxU]zjBXw`H{XTSCmgJ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\bhavzqouzdo = "lUpbbWJ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\kgYiiisba = "FWmjYxU]zjBXw`H{XTScmgJ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\bhavzqouzdo = "fwklJiw" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\kgYiiisba = "AroUr@~jVyIII^apK}Y@pKu" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\kgYiiisba = "AroUr@~jVyIII^apK}_PpKu" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\kgYiiisba = "AroUr@~jVyIII^apK}^@pKu" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\kgYiiisba = "FWmjYxU]zjBXw`H{XTRcmgJ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\kgYiiisba = "AroUr@~jVyIII^apK}^ppKu" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22} \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\VersionIndependentProgID \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\kgYiiisba = "AroUr@~jVyIII^apK}\\ppKu" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\ypPpcmnqgujaa = "XXlis@\\de^v\x7fGNfYNd" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\nkfZVem = "u\x7fVagKVytKrE]xortSEUUsDg~xtpa" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\ccrymbccmxzd = "kIdla\x7fBCdG|vUxL]XLrTACl]NhhxNW_" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\ProgID \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\kgYiiisba = "AroUr@~jVyIII^apK}\\`pKu" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\ccrymbccmxzd = "FXNyKa\x7ff[TW\x7fKkWCkh\\ZaF_yRE@O@IZ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\bekjUvucw = "CXZ|]}L@kEEDi]oDYoCS~ID|^V" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\bhavzqouzdo = "fwGzvyV" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\ccrymbccmxzd = "kIdla\x7fBCdG|vUxL]XLrTACl]NhhxNVO" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\kgYiiisba = "AroUr@~jVyIII^apK}\\PpKu" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\ccrymbccmxzd = "FXNyKa\x7ff[TW\x7fKkWCkh\\ZaF_yRE@O@Ij" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\bhavzqouzdo = "fugGb{Y" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\nkfZVem = "uqhlBPqAG\\QsQ~ULdCDUDxEsHbWfu" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\ypPpcmnqgujaa = "XXlis@]De^v\x7fGNfYNd" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\bhavzqouzdo = "lULC\\EY" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\VirtualStore\MACHINE\SOFTWARE C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\bjfern = "I\\~\\]hqbhMsu~~n_DeKWOQ]z_" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\ccrymbccmxzd = "FXNyKa\x7ff[TW\x7fKkWCkh\\ZaF_yRE@O@IZ" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38AC272B-1732-3292-5EA3-CA8CB054DE22}\nkfZVem = "u\x7fVagKVytKrE]xortSEUUsDg~xtpa" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\{CC3F30AB-FC94-13D1-B2E4-0060975B8649}\wzapb = "{^ENynqT`rcOhkmF\x7f" \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\iWinArcade\Legendary Slide 2 Platinum Edition\GameID = "7971459608164109350" C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe N/A
N/A N/A C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe
PID 760 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe
PID 760 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe
PID 3968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe
PID 3968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe
PID 3968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe
PID 1264 wrote to memory of 3460 N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 1264 wrote to memory of 3460 N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 1264 wrote to memory of 3460 N/A C:\Program Files (x86)\GMInstaller\ugm_installer.exe C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe
PID 3460 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3460 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3460 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3460 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3460 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3460 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe
PID 3460 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 3460 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 3460 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe
PID 3872 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 3872 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 3872 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe
PID 3872 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe
PID 3872 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe
PID 3872 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe
PID 2060 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe C:\Users\Admin\AppData\Local\Temp\nswADB1.tmp\iWinInstallOptions.exe
PID 2060 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe C:\Users\Admin\AppData\Local\Temp\nswADB1.tmp\iWinInstallOptions.exe
PID 2060 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe C:\Users\Admin\AppData\Local\Temp\nswADB1.tmp\iWinInstallOptions.exe
PID 3460 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe
PID 3460 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe \??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ff6ae12266d02f95b208baf95b04476b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\GamesManagerInstaller.exe" -installer.createiwinshortcuts=yes -config.channel=00000000 -config.uri=http://gm/iwin/index.html -config.channelName=iWin -config.iwinrequest="PF/7971459608164109350/7971459598412844403/13/47"

C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe

"C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe" -gmregchannelid=00000000

C:\Program Files (x86)\GMInstaller\ugm_installer.exe

"C:\Program Files (x86)\GMInstaller\ugm_installer.exe" -installer.createiwinshortcuts=yes -config.channel=00000000 -config.uri=http://gm/iwin/index.html -config.channelName=iWin -config.iwinrequest="PF/7971459608164109350/7971459598412844403/13/47"

C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe

"C:\Users\Admin\AppData\Local\GamesManager\GamesManager.exe" -config.uri=http://gm/iwin/index.html -config.channel="00000000" -config.iwinrequest="PF/7971459608164109350/7971459598412844403/13/47"

C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe

"C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=renderer --enable-logging --log-level=2 --no-sandbox --user-agent="NextDM/2.16.2.1015 AppleWebKit/535.19 (KHTML, like Gecko) GamesManager/2.16.2.1015 00000000 WinVer/6.2 [x64]" --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" --lang --channel=3460.0305FC80.1169251183 /prefetch:3

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4 0x514

C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe

"C:\Users\Admin\AppData\Local\GamesManager\awesomium_process.exe" --type=gpu-process --channel=3460.0307A230.456480590 --enable-logging --log-level=2 --no-sandbox --awesomium-log-path="C:\Users\Admin\AppData\Local\GamesManager\./awesomium.log" /prefetch:12

C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe

"C:\Users\Admin\AppData\Local\GamesManager\iWinInstaller.exe" -gmregcopysrc="HKEY_LOCAL_MACHINE\Software\iWinArcade" -gmregcopydest="HKEY_CURRENT_USER\Software\iWinArcade" -gmregcopylocalmachinedest="HKEY_LOCAL_MACHINE\Software\iWinArcade" -gmregisiwin=true -gmchannelcode=00000000 -game.sku="7971459608164109350" -game.name="Legendary Slide 2 Platinum Edition" -gmregcopyvirtual=HKU\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\iWinArcade -gmreg="Software\iWinArcade" -gmexe="iWinGames.exe" -gmregkey="Install_Dir" -installer="C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe" -preinstallurl="http://gm.iwin.com/dl/preinstall-options.exe" -gamestring=7971459608164109350 -config.installRoot="c:\games\iWin Games" -gmInstallRootRegKey="HKEY_CURRENT_USER\Software\iWinArcade\installRoot"

C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

"C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe" -gamestring=7971459608164109350 /S

C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe

"C:\Users\Admin\AppData\Local\GamesManager\00000000\downloads\7971459608164109350.exe" /S

C:\Users\Admin\AppData\Local\Temp\nswADB1.tmp\iWinInstallOptions.exe

"C:\Users\Admin\AppData\Local\Temp\nswADB1.tmp\iWinInstallOptions.exe" /S

\??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe

"c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid7971459608164109350

\??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe

"c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid7971459608164109350

\??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe

"c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid7971459608164109350

\??\c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe

"c:\games\iWin Games\Legendary Slide 2 Platinum Edition\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid7971459608164109350

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.iwin.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CZ 65.9.95.69:80 dl.iwin.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 69.95.9.65.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 static.iwincdn.com udp
FR 68.232.35.54:80 static.iwincdn.com tcp
US 8.8.8.8:53 54.35.232.68.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 gm.iwin.com udp
US 35.175.160.151:80 gm.iwin.com tcp
US 35.175.160.151:80 gm.iwin.com tcp
US 35.175.160.151:80 gm.iwin.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 fea.iwincdn.com udp
FR 68.232.35.54:80 fea.iwincdn.com tcp
US 8.8.8.8:53 cimg.iwin.com udp
US 8.8.8.8:53 ws.iwin.com udp
US 34.227.134.18:80 ws.iwin.com tcp
CZ 65.9.95.35:80 cimg.iwin.com tcp
US 8.8.8.8:53 download.iwincdn.com udp
GB 142.250.179.226:80 www.googleadservices.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
GB 142.250.187.200:80 www.googletagmanager.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.179.226:80 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:80 www.google.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.134.227.34.in-addr.arpa udp
US 8.8.8.8:53 35.95.9.65.in-addr.arpa udp
US 8.8.8.8:53 226.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 200.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.co.uk udp
GB 216.58.204.67:80 www.google.co.uk tcp
US 8.8.8.8:53 c.pki.goog udp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 35.175.160.151:80 ws.iwin.com tcp
US 8.8.8.8:53 dl.iwin.com udp
CZ 65.9.95.69:80 dl.iwin.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

C:\Users\Admin\AppData\Local\Temp\nsdB3E0.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

C:\Program Files (x86)\GMInstaller\iWinUpgrader.exe

MD5 3d72f38357f46715e675e074d59fc7a9
SHA1 2cf2f0d655fbbff941ae3d5c1e911096fec5bd12
SHA256 86cb79cb393ccbebd65e137cf509f09e0cabaecb93a2d21369488002712af118
SHA512 35f5e1f19490814db7bb041588ed9f6c99a04cdb485c19fbae3e96e59da003c345aa835fe482e904c73577f37eba6f47982dc4ba5d3b5a58396b794830639006

C:\Users\Admin\AppData\Local\Temp\nsdB3E0.tmp\StdUtils.dll

MD5 c291f96471927e7bc49398b0de7168dd
SHA1 eda478005d69ee86126a8378de5007b139e20a5d
SHA256 c169393e49723cfdcdcbcf80e062be9e841539f90e4b7b85b482212715a1f7c6
SHA512 b4244615e99617d437d3120f201ca88c7ab4a6b4b84e7f0c3b4495a0fe8c979e04feaa08f11ad14fa92f002a3a521422221132ff54a081ef1c6bcbdf09d5929d

C:\Users\Admin\AppData\Local\Temp\nsfD227.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\GamesManager\110402287\cdata.dat

MD5 11e4b4414b6271b8f8c45511f97d4e5a
SHA1 65ee25560144d22bf7f8bce3b8742a856a8ee6d1
SHA256 db67ca3cf89a6fccd13aa21207e279c3fd3c7bcaf181c65ecfc18cf2da289eb3
SHA512 68e8bce33cfc588f800f486f51c8a1e27b12e58af336946102d61a451341eee875b4cbb2a4203f3cade174b21f9e74cd82d15988abb107564c87c2e3bd088c58

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000c

MD5 201f988a9071a4a4a3d188bdecda38f5
SHA1 4ad903f73ee31f12b1c9e4c820439273cbc92727
SHA256 53c53364808c175a6038f9d0aae8fe3d1f5ce3cf87d5e9fa08f603d845633b37
SHA512 d9af07915a589ee48b08a1b8880d88d6215438292f4a227cbc809086c2dbd5735713c0929758359a8f3391dae746cd9b9de7885d5af560698a21be7d9f5bc025

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000d

MD5 516a9c398435f4e0e519d13091892fca
SHA1 c1a8a3747fed87cf8699c18b6f80f5369e207908
SHA256 de5c4e5ba7b850bbe5d35de5b20f4fd875be1f77ef73f7431172d1e0f6496dc6
SHA512 b79eab3e4abc5bd164d27f282a9913ad0c82bdbcb028be5137b77a429e6384e715d05a90014c23298152d2fe3ad2f90309ca028727ed9750cf29fd55b6d75302

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000e

MD5 4d0d60167bc23a412bcd8880d59e13d8
SHA1 cfbf2a6ed97ed0a30c571d2bbd6eb60731eaea27
SHA256 cd299b9251186ebf3bb0e928e4f710b3b542f0cde01bea6832cbada49138a85d
SHA512 6d56d41161bbe491a8f847ae3782e283a61d40d499d91fa6ef82ea845b347b8337b84e69024828dcbbf884b167afca67bdd67c7593a1a90950bab6fbdbb8eeba

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000b

MD5 0128fb0696c3dd27adc2286988bf9042
SHA1 343db277048078eb9a12b76b8f482aae5d9e7ac2
SHA256 13bf19f7b084c49a6ef22dee10328411f4764e765209956bc1d01c8120cdacdb
SHA512 173b2bd5cdf252380286622fcb9ebd72c361788fcd00a04274dc330f7d20cc152cc29506bd5d03768518bab23053ec98c0ae522fe600987a479a15279d72acbd

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000a

MD5 4e5d5ff08a7703b746695ec19bf96b88
SHA1 3496f9b943d53c957ed8481e3e2cd1ecc0decb4e
SHA256 3e05db9eae5443e2b629ae73496a7872602094fcf63d11eb5d99e63911c89d1e
SHA512 cabe3907ea165502d90b847642cbc4be99108b6eb18ad251f2acfe988131b2ed12fab8516e374c5e2a19b10c9df9c9ed3252cbffb7cd0c0fb9dcd258e2f4bb31

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000009

MD5 b41c0b75a60eab42145e9d0b17408b0b
SHA1 0f3151c6c22834079b55fcea9d873c0184b3fd7c
SHA256 209dc679252feca2725cafb6e8fc314f2618bd748db846be6b4e0ca71c55a330
SHA512 f728be6cb869a6279a6ba1d85865c510c6f9905a04226a25965b7b5eb0feadbaf4364f4508b08292eb597b2a9fe14af4e6fa8a9eb56f4e704108dc09e862edbe

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000008

MD5 5cc4154e0c0dac8dfeea73c07ccdc83e
SHA1 5d2d995d51b8855d1e1e43b85d8b5a9d22b796ad
SHA256 12d5f1be9a764164f4cc6e7dda726c4ea3d19ea79382d28c75b0dea862608968
SHA512 1112959cfecc25efae799b566dff24f7bfafc60ddd8974ce0cdd653ee834a57090d9f78e2773ad9a826e0ba6e1487c49e1ef957c34385c262914f09ea8b26157

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000007

MD5 962bf963a37a6d84fe7fb552763dc094
SHA1 cac681467dac917122dd9b57bd9a78781549a523
SHA256 2f49797d196f00bb331663ac1564c775d65ed1bfb508aec9e4c3b6fc89bb4dc0
SHA512 e378da6a0d29f91eb5a0de3876fda0cc1b5a6e6632f5ddf0d45fcc909084aad70bd99b97a29df15d271593701bd77a92766a1f091540dc3cdf699c9d831b6192

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000006

MD5 032f7a630c11189923cae95fb0fa6892
SHA1 74dddaa937b077fb98b584b20e1a3e3ad1bee422
SHA256 b0b84f6aca649b3b9131799ed0983e03b113497df4f33e30a3389ee1b34687ee
SHA512 e24c5a9dfd1f6fcd07dea0b3723a0794fe27042c2f52d0b869e8224ed0a442e73e24d265103ba2f11783b8c408f9724ba11ef76a1e3330ee3b78156ebad406bf

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000005

MD5 8c81fab58b8ed37b527b16a37a8065c3
SHA1 5d3d58f8833d9975d6dd5e7153b22a936f2f76bd
SHA256 74d4acb9d62968980f8a096977e3bf42c1ccffb0c7501a7fff1a0ba589b56bd7
SHA512 e99c9eae7718c4154bc2895431261e1ac3cafda565d85474876be004063742d84af1c20f970dd1f30c9c5acbb00d3e7357f7a13376730cbd987a24dcc4086699

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_00000f

MD5 b6438c9bc90d3e87381b574cdf17ae97
SHA1 86051ff3f018c1a475162597dab27079eef2ec7a
SHA256 a6db907a7ac399d7e920de4ac4b4a92808542039ba32dc6758637bffb413d56d
SHA512 c4d56c8880d5c27085cf64531d2620f84c950107fdda28986eb0bb4d2ce1b4a90f0d890b72f60b48ef2637b3dab7fd99ccf1f507c949ce5f66b52f756c3c6fe6

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000004

MD5 7fd8ffea25728006bfddf7e6c7c122cd
SHA1 e3049e9f8a643b8b2cfd2ca5e6ab8bfd483efe99
SHA256 0a6c4c4db171663b9b1c533a4dd6938e22cb4d5b9607d0ca92a20c1354018b49
SHA512 477467568f8c24772fd83680db1e9750c7e377cb706c0fa734e9c8b1bc847cf9a60f4be444044bdbfa4cdb9cb4352f86edd1ea70bdcd86a20b361f9acb2cd58f

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000003

MD5 a959af924d21c7b788fe197caf03fc40
SHA1 21733827a5501133619b8ac4533201267d1afa3f
SHA256 4d191ea72953f5806161c3c16ae8e4bb629b47156481bd074acfa5db08000016
SHA512 1fa28a7fe716b328fc43b3e8993875977a2e9f39fd02dfce313d27021403ddfaf7f19c7607bf1350c4c2f05a38170d3621ed33cc60f8b38fb9d1dbda63b120e7

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000002

MD5 ae0a675e3e15e28aab8246028df16236
SHA1 772b2587aa2fa345fb760eff9ebe5acd97937243
SHA256 49f14bad610f40f0ae76a33c55ef89a1e694219bab49b1b99cb53d754774c0fc
SHA512 21723efa6aaa2fa599b42c1480c380c24f9aaf14755e82e88054e80713454408bfb047ba77d921d71573d2319f14f134938f3401aa3b92b756670b7c99892caa

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000001

MD5 e2ff9e87912d08576c7f26a8014b2525
SHA1 026136afd27657e7edead2f12310275af249caac
SHA256 5e663896f40416a2d5f159e0433dbc9019dbe9d05abb34c1f3a5b38a88b5c03a
SHA512 7b4dfe37205909f2f14669c965821a91daba8be383ce83d119fde5d290bc938eeaf0c70e9d27998f00dc6cdca0d0c0b1b2bbdc13ac2662fc4e766919e092e1d9

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000010

MD5 af693f9aea7dae36fb3bef4c9b6e56fb
SHA1 0d7896e2bb23f88e26e52b22a075350b354df447
SHA256 1717ea1fde8ceb7584341a24efc85c853083c660a1185968fbf94520f7193de2
SHA512 11cad7c40e29808104a9b84cfe2f4f1aa80f4ad06a07fd1379c64818fe869c6b6036af36f4dd3304e19b612141e9cf7b04e11c7a38a721ad03c067d9c07b266a

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000011

MD5 3c4b51f57a2ff4369261b845d84ca1ea
SHA1 3bb9a2f72d5fa0a9c4140ab74212d4cdd25fa323
SHA256 379bc709031d0e429a41012efd921210bcfd409ecaabe35257a3716032eb99a3
SHA512 81d0120f63e30cc5b31fc98af2caf75cd836defedf08a1918b019a4bd7fdc9746340ef81f7ead84299d6eceb3812a6edc79481344dd7ef19d7af572b1f2bac3d

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000012

MD5 5ce0a99458a2c7f2c0a6f3eb1a03d1d5
SHA1 6b3fdc4185f603a0948d2e8b7bc818763d7e2668
SHA256 6c5c0a29044c5aeec37211b18908acd0576b9dabc9d6fe95c8066cdc55146c0f
SHA512 5939d60a40f729b7ea19d6c9c1d264d7a174c6436748ea8c9619e7a20c1f1d4889f7e9b4cd017a889c985e9d2fd272e01d3e03d6b97325b2e8de5f3f9e1f2d67

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000013

MD5 107a4b9f1d95df5b969cced5c7248ded
SHA1 9341318acb76e81987277b335656f6d265066691
SHA256 295eac26825508b5f37f27c69b99d426582fe80752f636c69f1795be8f5d5ea4
SHA512 36c22b62a0377831b37ecc4f34b6912842bc57c2f9351548d1ba120ca2c9abaca709cd40046abc06d4b77694cbf1977b8f5d7ce899653f130ac697402e127857

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000014

MD5 7776d481997157e93d96f8589c3ae050
SHA1 13007e647ea91299b5aaaf7fc03a30bb65c38cd0
SHA256 74cd4d1f792e1200fd426048b53970c4eaeb5e5c1c789d034bffdff68167b3be
SHA512 12401e53282bcb20f6287f73b0d51c1c018cb0013df2d03e7d719eaa9e7fe952b9252c22445b67acdd78696f7b464045aed14f6e795922680fe733a0084a6217

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000015

MD5 112aef1f1740c497873762c576ba91ec
SHA1 63de6bd3e38f536213dddddb20c5cb61c232078f
SHA256 7f6a44eb7632c2cb6f990ede10a58c2cc3fb923bae1761f1be8e2a9ea3847b78
SHA512 9b3f9e5b4f911e0fc8404e89a68e308b14b4d2470d8358f95991d04abbc5ee04e3d93255deba720d3589f278938cf92710cc4f38f6b26c778d82d4680da89fbb

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\AppCache\Cache\f_000016

MD5 5a52b3c4658c45fa0d16f1b245cba28d
SHA1 1066afce3c4ca00ca7f61c628f6ba4a615b50c4f
SHA256 f148af9bffe215b1396117bb04aeb9f35fc82f346999a767a363198e9878ceae
SHA512 08ed56e8ef57a87bc84cc82355fbb9b5742a3a3218c5bf27369d2fc7d71d5c740af8c8830a85af3544ae5f2e96f59c9a0267a512a5c009c3e03683a3ef5f85bd

memory/1568-1058-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1085-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1098-0x0000000073D90000-0x0000000073DC3000-memory.dmp

memory/1568-1097-0x0000000073D90000-0x0000000073DC3000-memory.dmp

memory/1568-1096-0x0000000073D90000-0x0000000073DC3000-memory.dmp

memory/1568-1095-0x0000000073D90000-0x0000000073DC3000-memory.dmp

memory/1568-1094-0x0000000073D90000-0x0000000073DC3000-memory.dmp

memory/1568-1093-0x0000000073D90000-0x0000000073DC3000-memory.dmp

memory/1568-1092-0x0000000073D90000-0x0000000073DC3000-memory.dmp

memory/1568-1091-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1090-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1088-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1087-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1084-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1083-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1082-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1081-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1080-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1078-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1077-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1076-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1074-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1073-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1072-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1070-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1069-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1068-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1067-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1065-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1063-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1062-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1061-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1059-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1089-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1086-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1079-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1075-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1071-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1066-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1064-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1060-0x0000000071C30000-0x0000000071DE2000-memory.dmp

C:\Users\Admin\AppData\Local\GamesManager\00000000\webdata\Cache\index

MD5 a61db77e55430b847740ab5bb2cbc080
SHA1 95feedb04b2454343289919b6e8737be311f1d16
SHA256 943e7bf26f7a0b91ab14ab695c056b5d4de956ee75fec2ab805a04efe2b92da2
SHA512 1e19e58811490b59bff5c3a171b47863bec73b03f6033eeeb3ebc871f667fb6f8341ce667d4f3bc3091eec136af0e5a3e5e418606a8ecb3f8960e35466abb63d

memory/1568-1114-0x0000000073D90000-0x0000000073DC3000-memory.dmp

memory/1568-1112-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1113-0x0000000074720000-0x0000000074747000-memory.dmp

memory/1568-1115-0x0000000003270000-0x0000000003271000-memory.dmp

memory/1568-1179-0x0000000073D90000-0x0000000073DC3000-memory.dmp

memory/1568-1177-0x0000000071C30000-0x0000000071DE2000-memory.dmp

memory/1568-1178-0x0000000074720000-0x0000000074747000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\preinstall-options.exe

MD5 a20e6e80fca5126c64c469d8882c8b03
SHA1 9037bde28752b5bc54b2e0a76c753e94981c362f
SHA256 bd97b982be79ace9c3ca0ec4fa7572d9005eaa164426d9cb81f63e17f88d31c2
SHA512 f1d82d31ef70206bb178fdd17f4bbcd635ef74da11b5989c771a3fb9aed8603a0dc4768945780a19619c482661ae09c11b8e74b837a43cd98ccde6440e0d8e4f

C:\Users\Admin\AppData\Local\Temp\nsaAA75.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

C:\Users\Admin\AppData\Local\Temp\nswADB1.tmp\nsisdl.dll

MD5 a5a4cee2eb89d2687c05ef74299f0dba
SHA1 b9bff5987be422887f2f402357b47db2288a1a42
SHA256 cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512 f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

C:\Users\Admin\AppData\Local\Temp\nswADB1.tmp\System.dll

MD5 960a5c48e25cf2bca332e74e11d825c9
SHA1 da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512 cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

memory/4128-1875-0x0000000000400000-0x000000000060C000-memory.dmp

memory/4128-1877-0x0000000002AB0000-0x0000000002CBC000-memory.dmp

memory/4128-1881-0x0000000002AB0000-0x0000000002CBC000-memory.dmp

memory/4128-1884-0x0000000000400000-0x000000000060C000-memory.dmp

memory/4128-1891-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3020-1910-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3076-1929-0x0000000000400000-0x000000000060C000-memory.dmp

memory/4828-1948-0x0000000000400000-0x000000000060C000-memory.dmp